Security

• In transit: All traffic between your browser, our edge network, and our origin services is encrypted using TLS 1.2 or higher with modern cipher suites (no SSLv3, TLS 1.0, or TLS 1.1).
• At rest: Application data is stored on managed databases and object stores with AES-256 encryption at rest, enabled by default through our cloud providers.
• Secrets: API keys and credentials are stored in a managed secret store, scoped per environment, and rotated when staff change roles.

Images uploaded for enhancement are stored on encrypted object storage and sent to our AI sub-processor (see Section 6) for inference. Uploaded files and their derived outputs are automatically deleted within 24 hours of completion. We do not retain uploaded content for any longer than is needed to produce, deliver, and let you download your result.

We do not use customer content to train, evaluate, or fine-tune machine-learning models. This is a contractual commitment, not just a policy.

• Production access is restricted to a small number of authorised engineers.
• Two-factor authentication is mandatory for all production systems.
• Access is granted on a least-privilege basis and reviewed quarterly.
• All production access is logged and reviewed.
• Offboarded staff are revoked from all systems within 24 hours.

Hooky Generator is hosted on globally distributed serverless infrastructure that provides automatic patching, DDoS protection, network isolation, and isolated tenancy. Our edge network terminates TLS at the closest point of presence, reducing the attack surface of our origin.

Where possible we use managed services with built-in encryption, auditing, and backups, rather than rolling our own.

Card details are never sent to our servers. All payment information is collected directly by Stripe's embedded checkout and processed inside Stripe's PCI DSS Level 1 environment. We only receive a tokenised reference to the transaction (the last four digits of the card, brand, country, and amount).

Stripe's security posture and certifications are available at stripe.com/docs/security.

We use a small number of trusted third-party services to run Hooky Generator. Each one is bound by a written data-processing agreement and contractual confidentiality obligations.

See the full, up-to-date list on our Sub-processors page.

We continuously monitor system health, error rates, latency, and abnormal access patterns. Logs are retained for at least 30 days and are queryable for incident investigation. Sensitive data is redacted before being written to logs.

We have a written incident-response plan that covers detection, containment, eradication, recovery, and post-mortem. In the event of a confirmed personal-data breach that is likely to affect customers, we will:

• Notify affected customers without undue delay, and within 72 hours where required by law.
• Provide a clear description of what happened, what data was affected, and what we are doing about it.
• Cooperate with regulators and law-enforcement authorities as required.
• Publish a public post-mortem when appropriate.

• PCI DSS: handled by Stripe (Level 1). We are out-of-scope for cardholder data.
• GDPR / UK GDPR: Hooky acts as a data controller for account data and a data processor for image uploads. See our Privacy Policy and Data Processing Agreement.
• CCPA / CPRA: California residents have data-rights requests available at support@Hooky.com.
• SOC 2: our managed-services providers (Stripe, Vercel) hold SOC 2 Type II reports. Hooky does not currently hold a SOC 2 report of its own.

If you discover a security vulnerability or believe that an account is compromised, please email support@Hooky.com with the subject line “Security”. We respond to security reports within one business day and will work with you to validate and remediate the issue.

Please act in good faith: avoid privacy violations, data destruction, or service disruption while investigating. We will not pursue legal action against good-faith researchers who follow these guidelines.